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Abstract 

We present a modification of the superposition calculus that is meant to generate 
explanations why a set of clauses is satisfiable. This process is related to abductive 
reasoning, and the explanations generated are clauses constructed over so-called 
abductive constants. We prove the correctness and completeness of the calculus 
in the presence of redundancy elimination rules, and develop a sufficient condition 
guaranteeing its termination; this sufficient condition is then used to prove that all 
possible explanations can be generated in finite time for several classes of clause 
sets, including many of interest to the SMT community. We propose a procedure 
that generates a set of explanations that should be useful to a human user and 
conclude by suggesting several extensions to this novel approach. 

1 Introduction 

The verification of complex systems is generally based on proving the validity, or, dually, 
the satisfiability of a logical formula. The standard practice consists in translating 
the behavior of the system to be verified into a logical formula, and proving that the 
negation of the formula is unsatisfiable. These formulas may be domain-specific, so that 
it is only necessary to test the satisfiability of the formula modulo some background 
theory, whence the name Satisfiability Modulo Theories problems, or SMT problems. 
If the formula is actually satisfiable, this means the system is not error-free, and any 
model can be viewed as a trace that generates an error. The models of a satisfiable 
formula can therefore help the designers of the system guess the origin of the errors and 
deduce how they can be corrected. Yet, this still requires some work. Indeed, there are 
generally many interpretations on different domains that satisfy the formula, and it is 
necessary to further analyze these models to understand where the error(s) may come 
from. 

We present what is, to the best of our knowledge, a novel approach to this debugging 
problem: we argue that rather than studying one model of a formula, more valuable 
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Figure 1: Insertion into array a of element b at position i and element c at position j. 

information can be extracted from the properties that hold in all the models of the 
formula. For instance, consider the theory of arrays, which is axiomatized as follows (as 
introduced by [12]): 

Vx, z, v. select (store (x, z, v), z) ~ v, (1) 
Vx, z, w, v . z ~ w V select (store (x, z, v), w) ~ select (x, w). (2) 

These axioms state that if element v is inserted into array x at position z, then the 
resulting array contains v at position z, and the same elements as in x elsewhere. 
Assume that to verify that the order in which elements are inserted into a given array 
does not matter, the satisfiability of the following formula is tested (see also Figure 1): 

select (store (store (a, i, b),j, c), k) select (store (store (a, j, c), i, b), k). 

This formula asserts that there is a position k that holds different values in the array 
obtained from a by first inserting element b at position i and then element c at position 
j, and in the array obtained from a by first inserting element c at position j and then 
element b at position i. It turns out that this formula is actually satisfiable, which in 
this case means that some hypotheses are missing. State of the art SMT solvers such 
as Yices [14] can help find out what hypotheses are missing by outputting a model 
of the formula. In this case, Yices outputs (= b 1) (= c 3) (= i 2) (= k 2) (= j 
2) , and for this simple example, such a model may be sufficient to quickly understand 
where the error comes from. However, a simpler and more natural way to determine 
what hypotheses are missing would be to have a tool that, when fed the formula above, 
outputs i ~ j A b 9^ c, stating that the formula can only be true when elements b and 
c are distinct, and are inserted at the same position in a. This information permits 
to know immediately what additional hypotheses must be made for the formula to be 
unsatisfiable. In this example, there are two possible hypotheses that can be added: 
i 9^ j or b ~ c. 

In this paper, we investigate what information should be provided to the user and 
how it can be obtained, by distinguishing a set of constants on which additional hy- 
potheses are allowed to be made. These constants are called abducible constants or 
simply abducibles, and the problem boils down to determining what ground clauses con- 
taining only abducibles are logically entailed by the formula under consideration, since 
the negation of any of these clauses can be viewed as a set of additional hypotheses that 
make the formula unsatisfiable. 
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Outline. This paper begins by summarizing all necessary background, and then a 
calculus specially designed to abductive reasoning is defined. This calculus is closely 
related to the superposition calculus SV, and we rely on completeness and termination 
results for SV to prove similar results for the new calculus. We also propose a method 
for generating clauses containing only abducibles, that can help a user quickly detect 
where an error comes from, and decide what additional hypotheses should be added to 
fix the faulty formula. 

2 Preliminaries 

The general framework of this paper is first-order logic with equality. Most of the 
presentation in this section is standard, and we refer the reader to [13] for details. 
Given a signature S and an integer i > 0, X* stands for the set of function symbols in X 
of arity i. In particular, S° denotes the set of constants in S. We assume the standard 
definitions of terms, predicates, literals and clauses, all of which are constructed over 
a set of variables X . We also consider the standard definitions of positions in terms, 
predicates, literals or clauses; the set of positions of a term t is denoted by Pos(t). A 
term, predicate, literal or clause containing no variable is ground. As usual, clauses are 
assumed to be variable- disjoint. The symbol ~ stands for unordered equality, cxi is either 
~ or ^k. A literal t ~ s is positive, and a literal t s is negative. If L is a literal, then L c 
denotes the complementary literal of L, i.e., (t ~ s) c = (t s) and (t s) c = (t ~ s). 
A literal is flat if it only contains constants or variables 1 , and a clause is flat if it only 
contains flat literals. The letters l,r,s,u,v and t denote terms, w,x,y,z variables, and 
all other lower-case letters denote constants or function symbols. 

Definition 1 Given a ground clause C, we denote by -<C the following set of literals: 
-■C = {L c | L G C}. 

Throughout this paper, for technical convenience, we will compare clauses modulo 
associativity and commutativity of the disjunction operator, but not modulo idempo- 
tence. For instance, the clause /(a) ~ f(b) V c ~ d V a ~ c will be considered as equal 
to c ~ a V f(b) ~ f(a) Vc~d, and different from /(a) ~ f(b) Vc~dVa~cVa~c. 

A substitution is a function mapping variables to terms. Given a substitution a, the 
set of variables x such that xo ^ x is called the domain of o and denoted by dom{a). If 
a is a substitution and V is a set of variables, then o\y is the substitution with domain 
dom(a) n V, that matches a on this domain. As usual, a substitution can be extended 
into a homomorphism on terms, atoms, literals and clauses. The image of an expression 
£ by a substitution a will be denoted by Ea. If E is a set of expressions, then Eo~ 
denotes the set {£a \ £ 6 E}. The composition of two substitutions a and 9 is denoted 
by ad. A substitution a is more general than 6 if there exists a substitution rj such that 
= or}. The substitution a is a renaming if it is injective and \/x G dom(a),xa G X\ 
and it is a unifier of two terms t, s if to = so. Any unifiable pair of terms (t, s) has a 

1 Notc that we depart from the terminology in [2, 1], where flat positive literals can contain a term 
of depth 1. 
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Superposition 


C V l[u'\ ~ r D V u ~ i 


(i), (ii), {Hi), (iv) 


(CVDV i[t] ~ r)<r 


Paramodulation 


C V i[u'] 9^ r D V u ~ t 


(i), (ii), (iii), (iv) 


(CVflV Z[t] 9^ r)a 


Reflection 


C V u' j^u 
Ca 


(«) 


Equational Factoring 


cv«~tvii'~t' 

(CVt^'Vt(~ t')a 


W.H 


where the notation l[u'] means that v! appears as a subterm in I, a is the most 


general unifier (mgu) of 


u and u', u' is not a variable 


in Superposition and 


Paramodulation, and the following abbreviations hold: 




(i): uo -/< ta; 






(ii): VL e D : (u ~ t)a 


y> La; 




(Hi): l[u']a -f< ra; 






(in): VLeC: {l[vl]x\r)a ^ La; 




(v): VL e C : (u ; ~ u)a 


^ La; 




(vi): VL e {«' ~ i'} U C : (u ~ i)<7 ^ Lcr. 





Figure 2: Inference rules of ST: the clause below the inference line is added to the clause set 
containing the clauses above the inference line. 



most general unifier, unique up to a renaming, and denoted by mgu(£, s). A substitution 
a is ground if xa is ground, for every variable x in its domain. 

A simplification ordering -< is an ordering that is stable under substitutions, mono- 
tonic and contains the subterm ordering: if s -< t, then c[s]a -< c[t]a for any context c 
and substitution a, and if s is a strict subterm of t then s -< t. A complete simplification 
ordering, or CSO, is a simplification ordering that is total on ground terms. Similarly 
to [7], in the sequel, we shall assume that any CSO under consideration is good: 

Definition 2 A CSO >- is good if for all ground compound terms t and constants c, we 
have ty c. 

The superposition calculus, or SV (see, e.g., [13]), is a refutationally complete 
rewrite-based inference system for first-order logic with equality. It consists of the 
inference rules summarized in Fig. 2: each rule contains premises which are above the 
inference line, and generates a conclusion, which is below the inference line. If a clause 
D is generated from premises C, C, then we write C,C h D. The superposition calcu- 
lus is based on a CSO on terms, which is extended to literals and clauses in a standard 
way (see, e.g., [3]), and we may write SV^, and to specify the ordering. The set of 
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clauses that are deducible with SV from premises in S is denoted by 1(S); it consists 
of all clauses that are generated by the inference rules in SV with premises in S. A set 
of clauses S is SV-closed if I(S) C S. Given a set of clauses S and a clause C, an SV- 
derivation of C from S is a sequence (Ci, . . . , C n ) where n > 0, such that C n = C and 
for all i < n, C{ <E S UX({Ci, . . . , Cj_i}). An SV -refutation of S is an SP-derivation 
of □ from S. A ground clause C is -(-redundant in S, or simply redundant, if there 
exists a set of ground clauses 5' such that S' |= C, and for every D 6 S' , D is an 
instance of a clause in S and D ~< C. A non-ground clause C is ^-redundant in S if all 
its instances are ^-redundant in S. In particular, every strictly subsumed clause and 
every tautological clause is redundant. A set of clauses S is saturated if every clause 
C ^ S generated from premises in S is redundant in S. A saturated set of clauses that 
does not contain □ is satisfiable [13]. In practice, it is necessary to use a decidable 
approximation of this notion of redundancy: for example, a clause is redundant if it can 
be reduced by some demodulation steps to either a tautology or to a subsumed clause. 

In the sequel, it will be necessary to forbid the occurrence of clauses containing 
maximal literals of the form x ~ t, where x ^ t: 

Definition 3 A clause is variable- eligible w.r.t. -< if it contains a maximal literal of 
the form x ~ t, where x ^ t. A set of clauses is variable-inactive (see [1]) if no non- 
redundant clause generated from S is variable-eligible. 

For technical reasons we have chosen to present a slightly relaxed version of the 
superposition calculus, in which the standard strict maximality conditions have been 
replaced by maximality conditions. For instance in Condition i), ua ^ to is replaced 
by ua -/< to: it is not forbidden for u and t to be distinct in Paramodulation and 
Superposition inferences. It is clear that the clauses generated in the case where there 
is an equality actually turn out to be redundant: for instance, if u = t then the clause 
generated by the inference will be redundant w.r.t. its first premise. 

3 A calculus for handling abducibles constants 

3.1 Overview 

As explained in the Introduction, the aim of this paper is to start with a formula F and 
a set of axioms A, and generate a formula H which logically entails F modulo A, i.e., 
such that H,A\=F (where H A A is satisfiable). As usual in abductive reasoning (see 
for instance [8]), we actually consider the contrapositive: since H, A |= F is equivalent 
to ->F, A |= ->H, the original problem can be solved by generating logical consequences 
of the formula ->FAA. For the sake of simplicity, the formula ->F is added to the axioms 
which are assumed to be in clausal form, and we have the following definition: 

Definition 4 A clause C is an implicate of a set of clauses S iff S \= C. 

It is clear that after its generation, it is necessary to verify that H is satisfiable modulo 
A. For instance, if a is some constant, then an explanation such asa~0Aa~ 1 
or even ~ 1 does not provide any information since it contradicts the axioms of 
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Presburger arithmetic. Testing this satisfiability can be done using standard decision 
procedures. There are many possible candidate sets of implicates, which may be more 
or less informative. For instance, it is possible to take C £ S, but this is obviously of no 
use. Thus it is necessary to provide additional information in order to restrict the class 
of formulas that are searched for. In (propositional) abductive reasoning, this is usually 
done by considering clauses built on a given set of literals: the abducible literals. A more 
natural possibility in the context of this paper is to consider clauses built on a given set 
of ground terms. We may assume with no loss of generality that each of these terms 
is replaced by a constant symbol, by applying the usual flattening operation, see, e.g., 
[2, 7]. For example, the term select(store(a, i, b), j) may be replaced by a new constant 
d, along with the axioms: d ~ select(d', j) A d' ~ store(a, i, b)). We thus consider a 
distinguished set of constants i C S°, called the set of abducible constants, and restrict 
ourselves to explanations that are conjunctions of literals built on abducible constants. 
This is formalized with the following definition of an ^.-implicate: 

Definition 5 Let S be a set of clauses. A clause C is an A-implicate of S iff every 
term occurring in C is also in A and if S |= C. 

As in propositional abductive reasoning, the set A must be provided by the user. 
The elements of A can simply be called abducibles. Given a set of clauses S containing 
both the axioms A and the clauses corresponding to the conjunctive normal form of 
->F, we investigate how to generate the set of flat ground clauses C built on A, that 
are logical consequences of S. Since SV is only refutationally complete, this cannot be 
done directly using this calculus. For instance, it is clear that f{a) f(b) |= a b, 
but a 9^ b cannot be generated from the antecedent clause. In principle, it is possible to 
enumerate all possible clauses C built on A and then use the superposition calculus to 
check whether S U ->C is unsatisfiable, however, this yields a very inefficient procedure. 
An alternate method consists in replacing the superposition calculus by a less restrictive 
calculus, such as the Resolution calculus [10] together with the equality axioms. For 
instance in the previous case, the clause f(a) jk f(b) and the substitutivity axiom 
x y V f(x) ~ f(y) permit to generate by the Resolution rule: a jk b. However, 
again, this calculus is not efficient, and in particular all the termination properties of 
the superposition calculus on many interesting subclasses of first-order logic [4, 2, 1] are 
lost. In this section, we provide a variant of the superposition calculus which is able 
to directly generate, from a set of clauses S, a set of logical consequences of S that are 
built on a given set of constant symbols A. The calculus is thus parameterized both by 
the term ordering -< and by the set of abducibles A. We shall show that the calculus is 
complete, in the sense that if S \= C and if C is an ^.-implicate of S, then C is a logical 
consequence of other clauses built on A that are generated from S. We will also prove 
that the calculus terminates on many classes of interest in the SMT community. 

We will thus consider clauses of a particular form and a slight variation of the 
superposition calculus in order to be able to reason on abducibles. The principle behind 
this calculus is similar to that of [5] for the combination of hierarchic theories, with the 
difference that in this framework, abducibles can potentially interact with other terms, 
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whereas in the framework of [5], elements of the different theories are of different sorts. 
In both settings however, a same abstraction principle is used to delay the reasoning 
on the objects of interest (in this case, the abducible constants). In what follows, we 
formally define such an abstraction and prove some of its properties. We then formally 
define the calculus SVa- 

3.2 Abstraction 

From now on we assume that the set of variables X is of the form X = V 1+) V4. 
The elements in V are ordinary variables and the elements in V4 are called abducible 
variables, and they will serve as placeholders for abducible constants in terms and 
clauses. In the sequel, when we mention standard terms, literals or clauses, we assume 
that all the variables they contain are in V. 

Definition 6 An A-literal is a literal of the form t cxi s, where t,s G V4 U A. An 
A-clause is a disjunction of ^.-literals. Given a clause C, we denote by A(C) the 
disjunction of ^literals in C and by A(C) the disjunction of non- ^.-literals in C. We 
denote by Var^(C) the set Var(C) n V4. 

A first step towards reasoning on abducibles will consist in extracting them from 
the terms in which they occur, and replacing them by abducible variables. Then, to 
ensure that such a property is preserved by inferences, every substitution mapping an 
abducible variable to anything other than an abducible variable will be discarded. More 
formally: 

Definition 7 A term is abstracted if it contains no abducible constant. A literal 1 1x1 s 
is abstracted if t and s are both abstracted. A clause is abstracted if all non-abstracted 
literals in C are ^literals. 

If t is an abstracted term, then not every instance of t is also abstracted. We define 
a condition on substitutions that guarantees such a stability result. 

Definition 8 A substitution a is A-compliant if for all x G dom{a), xa is abstracted, 
and for all x G dom(<j) n V4, xa G V4. Two abstracted terms are A-unifiable if they 
are unifiable and admit an .A-compliant mgu. 

Proposition 9 If a and fi are A-compliant, then so is o\jl. If a is A-compliant and t 
is abstracted, then so is to . 

It will be possible to define a calculus that generates abstracted clauses from ab- 
stracted premises thanks to the following property: 

Proposition 10 If the abstracted terms t, s are unifiable and admit an mgu \x such that 
for all x G V4, xfi G V U V4, then t, s are A-unifiable. 

Proof. If x G V4, y G V and x/i = y, then /j,' = //{yi-S'i} is also an mgu of t, s 
since it is a renaming of fi, and dom(n') n V4 = dom(fi) n (V4 \ {x}). By repeating 
this operation on all variables x, y such that x G V4, y G V and x\x = y, we eventually 
obtain an mgu fj," of t, s that, by construction, is ^.-compliant. ■ 
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In the sequel, every time abstracted terms are ^4-unifiable, we will assume the cor- 
responding mgu is ^.-compliant. The following definition shows how abstracted terms 
can be transformed into standard ones by replacing all variables in V4 by an arbitrary 
element in A. 

Definition 11 Let <_4 be a total ordering on A and ao denote the smallest abducible 
in A. Given a term t, we denote by t^y the term obtained by replacing every abducible 
occurring in t by ao- The term t is A-reduced if t^jy = t. The previous notation and 
this definition extend to literals, clauses and sets of clauses. 

Example 12 Let C = f(b,c) ~ g(d) V x gk b V f(a, b) ^ f(c,d), where A = {a,b,c} and 
a -< b -< c. Then C^a — f( a , a ) — g{d) V x qk a V f(a,a) qk f(a,d), and this clause is an 
^4-reduced clause. 

VU-stability 

It is clear that if all abducibles are abstracted away from a standard clause, then the 
resulting abstracted clause is not equivalent to the former one. However, equivalence 
can be regained by adding so-called V jy- constraint literals to the resulting abstracted 
clause. 

Definition 13 A V4- constraint literal is a literal of the form x jk a, where x G V4 
and a £ A. For all clauses C, we denote by L(C) the disjunction of ^-constraint 
literals in C. A V4- constraint clause is a disjunction of ^-constraint literals. Given 
a ^-constraint clause A = Vf=i x i 9^ a ii tne substitution associated to A is denoted 
by ua and defined as follows: dom{y a) = {x\, . . . ,Xk}, and for all x G dom(h>A), xva = 
min <A {ai \xi = x}. 

For readability, if B is a clause then we will write vb instead of vt(b)- If 5 1 is a set 
of abstracted clauses, then S v is the set S v = {Cue \ C G S}. 

Example 14 Assume A = {a, b, c}, where a <^4 b <a c, and lctA^i^aVi^cV)/^ 
bV z aV y ^ c. Then ^ = {140,1/4^4 a}. 

Note that by definition, C = Cuq and S = S u . As mentioned earlier, abducible 
variables are meant to be placeholders for abducible constants. In general, it will be 
necessary to keep some information permitting to know what abducible constants an 
abducible variable could be replaced by. Such a requirement is satisfied by imposing that 
every abducible variable occurs in at least one V^-constraint literal, which intuitively 
specifies its value. 

Definition 15 A clause C is V a- stable if Var_4(C) C Var_4(r(C)). A set of clauses is 
VA-stable if every clause it contains is V^-stable. 

Note that if C is such that Var(C) C V4, then C is V^-stable if and only if Cvq is 
ground. For example, if C is a V^-stable ^.-clause, then Cue is ground. 

Lemma 16 Let C be an A-clause that is VA-stable, fi be a substitution whose codomain 
is contained in Var_4(C), and let I be an interpretation such that: 
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1. for all x G Var_4(C), I |= xuq — x\xvq, 

2. I\=^{Cu c ). 

Let D = Cfi, then for all x G Var_4(D), / |= xuq — xud- Thus, in particular, I |= 
-'{Dud)- 

Proof. Let x G Var^(D), u = u c and u' = ud- By hypothesis x is in Var^(C), and for 
all literals x 9^ b occurring in C, I \= xv ~ b. Also, / |= xz^ ~ xfiu, thus / |= xfiu ~ 6. 
Assume xz/ = c for some abducible constant c £ A. By definition, D must contain a 
literal of the form i^c, thus C must contain a literal y 9^ c, where y^i = x. Since 
/ |= -i(CV), necessarily / |= yu ~ c, whence / |= y/iu ~ c i.e. / |= xu ~ c. Thus 
/ |= ~ xz^' and / |= ~^{Du'). m 

Given a set of standard clauses, it is easy to construct an equivalent set of abstracted 
and V^-stable clauses. It suffices to replace every abducible a occurring in a non-^l- 
literal by a fresh variable x £ V4, and to add the literal x 9^ a to the clause. For 
instance, if A = {a, b} then the clause a~6Va~cV f{b, d, x) g{b, y) is replaced by 
x\ 9^aVx2 9^6Vx3 9^6Va~6Vxi ~cV f{x2, d, x) g{xs, y). Note that if C is 
already an ^.-clause, then the abstracted form of C is C itself. 

3.3 Definition of the calculus. 

We introduce a calculus for generating ^.-implicates. It is a modified version of the 
superposition calculus, and consists of inference rules that are meant to be applied to 
abstracted clauses. In particular, it is based on orderings that are suitable for abstracted 
terms, literals and clauses: the order between two terms t and s should not depend on the 
abducible constants occurring in t and s, and maximal terms and literals in abstracted 
clauses should be related to maximal terms and literals in standard clauses, in a sense 
that will be made precise later. We thus define particular orderings for standard clauses, 
from which we define suitable orderings for abstracted clauses. 

Definition 17 We consider a good complete simplification ordering -< such that: 

1. for all a, b G A, a -< b if and only if a <_4 b; 

2. for all a G A and for all non-variable terms t £ A, a -< t; 

3. for all ground terms t, s not in A, if t -< s then t^ ■< s^, and if t^ ~< then 
t -< s. 

We let 70 denote the ground substitution of domain 2 V4 such that for all x G V4, 
X70 = cto- Given abstracted terms t, s, we define -<a as follows: t -<_4 s iff £70 -< 570- 
This definition extends to literals and clauses in a standard way. A term is A-maximal 
if it is maximal for -<_4; this definition also extends to literals and clauses. 

2 Note that the domain of 70 is infinite. This does not cause any technical problem and allows the 
expression of several properties in a concise way. 
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It is not difficult to construct a good CSO that satisfies the requirements of Definition 
17, one such construction goes as follows: consider any good (decidable) CSO -<o that 
is defined on the set T of ground ^.-reduced terms, and such that ao -<o b -<o t for all 
constants b ^ ao and compound terms t in T. Let T' denote the set of all ground terms 
constructed over the signature, and for t G X", define [t]^ = jV G T' \ t'^ = Then 
inductively define the order -< on T' as follows: 

• for all t, s G T', if t^ ~<q s^a then t' -< s' for all t' G [i]^ and s' G [s]^; 

• for all i G X" and for all s, s' G [t]^, 

— if t|_4 = ao then s ~< s' iff 3 s <a s', 

— otherwise, t = f(ti, . . . , t n ), in which case s = f(si,...,s n ) and s' = 
f(s[, . . . , s[), and s -< s' iff (si, . . . , s n ) -< /eE (s^, . . . , s' n ), where -< /e:r denotes 
the lexicographic extension of -<. 

The ordering -< can then be straightforwardly extended to non-ground terms in such 
a way that Condition 2 of Definition 17 is satisfied. It is simple to verify that -< is an 
ordering which is total on ground terms and stable under substitutions. It satisfies the 
subterm property because if s = t\ p , s' = and t' = t^, then s' = t'\ p . Thus s' -<o t' 
and s ~< t by construction. It is also stable under operations: indeed, assume s ~< s' and 
consider the terms 

t = f(h, ■ ■ ■ ,U-i, s, t i+ i, . . . ,t n ) and t' = f{t\, . . . , t s' , t . . . , t' n ). 

If s lA ~<o then -<o t'^ A because -<o is a CSO, and by construction t -< t'. 
Otherwise = and 

(t± , . . . , £j_i , s, ti^-i , . . . , t n ) -< (t±, . . . , ti— i, s , ij+i, . . • , t n ) , 

hence again, t ~< t! . Therefore, -< is a CSO, and by construction, this CSO is good. 
Note that the order -< used is not necessarily decidable, but this does not matter since 
this order will be used only for theoretical purposes, it is not intended to be used in a 
concrete proof procedure. 

The following propositions are entailed by the properties of the ordering under con- 
sideration: 

Proposition 18 

1. If C is a non-variable- eligible clause containing a ^-maximal literal with a -<- 
maximal term in A, then C is an A-clause. 

2. Let C be an abstracted clause that is not an A-clause. If Lvq is ^-maximal in 
Cvc, then L is A-maximal in C . Furthermore, if Lvq = (t IX s)i>c and tvc is 
-^-maximal in Lvq, then t is A-maximal in L. 

3 Note that in this case, both s and s' must be in A. 
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Definition 19 We denote by ST a the calculus such that for all clause sets S, we have 
S H 4 D if S \- <A D and the mgu involved in the iSP-inference is ^.-compliant. 

By construction, SV and SV a coincide on ground ^.-clauses. 
Redundancy Elimination for Abstracted Clauses 

We define a particular notion of redundancy for abstracted clauses, that is related to 
redundancy for standard clauses. The main difference with the standard definition is 
that the redundancy test is performed modulo the substitution vq that replaces the 
abstracted variables in C by the abducibles they denote. 

Definition 20 Consider a set of abstracted clauses S and an abstracted clause C such 
that Var(C) C V4. The clause C is A-redundant in S if one of the following condition 
holds: 

• C is an ^.-clause, vq 7^ id and Cue occurs in S or is ^.-redundant in S, 

• there exists a set of ground clauses S' such that S' |= C, every D 6 S' is an 
instance of a clause in S u and D -< Cue- 

If C is an abstracted clause such that Var(C) % V4, then C is A-redundant in S if for 
all ground substitutions a with a domain in V, Ca is ^.-redundant in S. The set S is 
A-saturated if every clause C ^ S generated by an 5'P^-inference with premises in S is 
^.-redundant in S. 

This notion of redundancy permits to add the standard contraction rules of the 
superposition calculus to SV a (subsumption, simplification, elimination of tautologies, 
etc). The following contraction inference rule is also added to SV x- 

C 

^.-reduction : if C is an ^.-clause and uq / id. 

Cu c 

After any application of the ^.-reduction rule, the premise becomes ^.-redundant and 
can be deleted. 

Theorem 21 If S is a variable-inactive set of abstracted clauses that are V^-stable, 
then every non-redundant clause generated from S by SV jy is abstracted and V^stable. 
Also, if one of the premises of a binary SV ^-inference is an A-clause, then the other 
premise is also an A-clause. 

PROOF. The first property is a consequence of the fact that if C is abstracted and 
V/i-stable, and if a is an ^.-compliant substitution, then Ca is also an abstracted and 
V^-stable clause. Since the ^.-maximal term in a positive ^.-maximal literal of a premise 
cannot be a variable, a non-abducible term cannot be replaced by an abducible constant, 
and thus it is straightforward to verify that the clause generated by SV is abstracted 
and V^-stable. The second point is a direct consequence of Proposition 18 (1). ■ 
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In what follows, we will prove completeness and termination results for SV a- The 
completeness result guarantees that SVa generates the required information about ex- 
isting abducibles for any abstracted set of clauses, while the termination result relies 
on termination results for SV, and will be used to verify without any additional effort 
that our technique can be used as a decision procedure for reasoning about abducibles 
in SMT problems with several theories of interest. 

4 Completeness of the calculus 

This section is devoted to the proof that if S is an unsatisfiable set of abstracted clauses 
that is A-saturated, then □ G S. Note that this result does not follow from the refu- 
tational completeness of the superposition calculus: indeed, the ordering -<_4 is not a 
simplification ordering (it is not stable by substitution), and all inferences in which 
non-A-compliant unifiers are involved are ignored. However, the proof is based on 
the refutational completeness of SV, and requires determining relationships between 
5"P-inferences and tSP^-inferences. The following properties relate mgus of abstracted 
terms to mgus of corresponding standard terms. 

Lemma 22 Let t,s be abstracted terms, 5 be a substitution with a domain in Va, such 
that for all x G Var_4(t) U Var_4(s), x5 G A, and consider the standard terms t' = tS and 
s' = s5. If t' and s' are unifiable, then t, s are A-unifiable, and if n is an mgu of t, s 
then 5fi5 = fi5 and (a*5)| V is an mgu oft',s'. 

Proof. Let 7' be an mgu of t' and s', the result is proved by induction on the size of 
t'j'. If one of t' or s' is in A U V, then the result is not difficult to verify. For instance, 
if t' G A and s' G V, then t G V4, s = s' and 5 contains the mapping t 1— > t! . In this 
case, t and s are indeed A-unifiable with /j, = {s' 1— > t}, and // = (fi5)^ = {s' 1— > t'} is 
an mgu of t' , s' . Similar reasonings are carried out in the other cases. 

Now assume that t = f(t\, . . . , t n ) and s = f(s\, ... ,s n ), so that t! = fit\-> •■■■> Ki) 
and s' = f{s' 1 , . . . , s' n ). We let 7r' = id, and for i = 1, . . . , n, fi' { denotes the mgu of t' i ir' i _ 1 
and s' i Tr' i _ 1 , and we let Ti' i = tt'^^^. Since t! and s' are unifiable, for all i = 1, . . . , n, 

t'i^i-i an d s' i ir' i _ 1 are unifiable. Furthermore, \j! = 0' n is also an mgu of t', s'. 

Let 7ro = id and for all i = 1, . . . , n, let fii denote the mgu of Uni-i and Sj7Tj_i, and 
let 7Tj = 7Tj_i^j. We show by induction on i that tjVTj_i and Sj7Tj_i are A-unifiable, that 
fii verifies 5^5 = ^5 and = {^5)^ and that 7Tj verifies -k[ = (iii5)^ v . This will permit 

to conclude that t and s are A-unifiable with mgu fi = n n which verifies 5fi5 = fid, and 
that fi' = (/i<5)| V . 

Assume this result holds for then it is straightforward to check that 5ni-i5 = 

7Tj_iJ. Consider the terms UiTi-i and Sj7rj_i. By hypothesis, Tr' i _ 1 = (7Tj_i<5)| V , thus, 
t'iK-i = ^^(^i-i^iv Since ti5 contains no variable in V4, we have £j<5(7rj_i5)| V = 
ti8iTi-i5 = tj7Tj_i(5. Since the size of t' i ir' i _ 1 is strictly less than that of t'j', we may 
apply the induction hypothesis to conclude that tiiii-i and Sjvrj_i are A-unifiable with 
mgu fii such that 5fii5 = fii5 and ^ = (jii5)^ v . Therefore 7Tj is well-defined and since 
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7Tj_i5 maps every variable in its domain to terms containing no variables in V4, we have 

A = n'i-ifA = (7Ti-i^)|v(M)|v = (^i-iSfHS)\ v = (vr i( 5)| V . 
This proves the result. ■ 

The following definition and properties will be used to express another useful re- 
lationship between ^.-variant terms and .A-unifiable terms with slightly more general 
hypotheses than those of Lemma 22. 

Definition 23 Given the abstracted terms t, s, we denote by ~(t, s ) the smallest equiv- 
alence relation such that for all variables x and terms u, x ~/t )S \ u if there exists a 
position p G Pos(t) D Pos(s) such that {x, u} = {t\ p ,s\ p }. We denote by [it](t jS ) (or 
simply by [it]) the equivalence class of u for ~{t, s ). 

Intuitively, if t and s are unifiable, then the image by their mgu of every variable 
x occurring in t or s must be equal to instances of every term occurring in [x]. In 
particular, the following property holds for A-unifiable terms: 

Proposition 24 Ift, s are A-unifiable with mgu n, then for allx G V4, [x](t )S ) Q VUV4 
and xfi G [x]( tjS y 

Lemma 25 Let t, s be abstracted terms, v, v' be substitutions with identical domains 
contained in V4 and with codomains in A, and let I be an interpretation such that for 
all x G Var_4(t) U Var_4(s) ; I \= xv ~ xu' . If tv' and su' are unifiable, then t and s are 
A-unifiable, and if fi is their mgu then I |= xv ~ xfj,v. 

Proof. Let fjf be the mgu of tv', sv' , and let 7' = v U //. We prove that for all x G V4 
and for all y G [x]/ tjS \, / |= x'y' ~ 2/7'. 

Let p be a position and y, y' be variables in [x]/ tjS \ such that {y, y'} = {t\ p , s\ p }. By 
hypothesis / |= {t\ p v ~ t\ p v' , s\ p v ~ s\ p v'}, thus, / |= {i| p 7' — t\ p v'fj! , s\ p ^' ~ s| p z///}. 
But since ti///' = si///, necessarily / |= i| P 7' ~ s\ p j', i.e., / |= 1/7' ~ 1/7'. By transitiv- 
ity, we deduce that for all y G [a;](t )S ), / |= xj' ~ yy'. By Proposition 24 x/t G [x](t, s ), 
thus / |= x'y' ~ x/r/. Since x and x/t are in V4, we have the result. ■ 

We now prove that if S is a set of abstracted clauses that does not contain the empty 
clause and is: 

• V^-stable, 

• with no variable-eligible clause, 

• ^.-saturated, 
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then S is satisfiable. We will show that S is satisfiable by constructing a set of standard 
clauses whose satisfiability will entail that of S. The set we construct will be saturated 
under 5"P^-inferences, and it will not contain the empty clause; we will conclude that 
it must be satisfiable, and hence that so must S. 

Let T be the set of ^.-clauses in S. Since S is V^-stable and ^.-saturated by hy- 
pothesis, T can only contain ground ^.-clauses, because if a non-ground clause occurs 
in T then ^.-reduction applies. Since SV and SV_a coincide on ground „4-clauses, T 
must also be saturated under iST-^-inferences and cannot contain □; this set is therefore 
satisfiable. We consider a fixed model of T. 

Definition 26 We define the ground set 

Uj = {a ~ b\ a,b G A, a 1 = b 1 } U {a b\ a,b G A, a 1 / b 1 } . (> 

The set Ui will be used to discard all ^.-clauses in S in the upcoming proof. Note 
that by construction, Uj is saturated. 

Definition 27 We inductively define the notion of an I -reduction: 

• For all a £ A, ap = min^ [b G A \ b 1 = a 7 }. 

• f(h, ■■■ , t n )\\i = f(h\\i, • • • , t n \\i)- 

This definition extends to standard literals and clauses. 

The /-reduction procedure is used to define a set whose satisfiability entails that of 
S, and that turns out to be saturated: 

Definition 28 Let 5/ = Uj U {A(Cp) \ C G S v A t/j |= ->A(C)}. 

By construction, every ^.-clause in Si must be in Ui and □05/. 
Proposition 29 // Si is satisfiable then so is S u , and therefore so is S. 

PROOF. Since Si contains Ui, necessarily Si |= S v |= S. m 

Lemma 30 Si is saturated for SV^. 

Proof. We prove the result by considering a clause generated by a superposition in- 
ference with premises in Si, the proof in the other cases is similar. Thus assume that 
C' 1 ,C' 2 C, where C' X ,C' 2 are in Si. If both C[ and C' 2 are ^.-clauses (i.e., if they 
are both in Ui), then it is clear that C must be subsumed by a clause in [//. By 
construction the abducible constants that occur in Si are all minimal and cannot be 
replaced, thus there can be no inference with one premise in Ui and the other not in 
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Ui. We therefore assume neither C[ nor C 2 is in Uj. The considered clauses are of the 
following forms: 

C[ = u'-v'VE'^ 

C 2 = t'[w'\xx\s' V E' 2 , 

C' = {t'[v'] X s' V E[ V E' 2 )n' , 

where // is the mgu of v! and w'. Since no clause in S is variable-eligible by hypothesis, 
the maximal literals in C[ and C 2 must contain symbols in £ \ A By definition of Si, 
there are clauses C\, C2 in S 1 such that: 

• Uj |= -.A^ii/cJ and [/} |= -A(C 2 ^c 2 ), 

• Ci = A(Cizv Cl||/ ) and C 2 = A(C 2 z/ C2||/ ). 
Necessarily, Ci and C2 are of the form 

C 2 = %]msV£ 2 , 

and by Proposition 18 (2), u is „4- maximal in u ~ i> which is ^l- maximal in Ci, and t[u;] 
is .A-maximal in t[w] XI s which is ^.-maximal in C2. Furthermore, these literals cannot 
be ^.-literals. Therefore, Ci, C2 h" 4 C, where C is of the form 

C = (t[v] Ms y Ei V E 2 )n, 

and is the mgu of u, w. We prove that Uj U {Cvq} |= C. 

It is necessary to distinguish two cases, depending on whether (t[v] ix s)/x is an .A- 
literal or not. We let L = (t[v] ~ s)// if (i[t>] ~ s)/x is an ^.-literal and L = □ otherwise. 
We also let D = (£1 V £2 V, so that the following equalities hold: 

C = LVD, (3) 

A(C) = LVA(D), (4) 

A(C) = A(D), (5) 

A(£>) = A((CiVC 2 V). (6) 

By construction, L cannot be a V^-constraint literal, thus V£> = vq, and therefore, 
Cue = (LVD)uo. For the sake of readability, we define v = fc^Ufc^, hence A(Cii/c 1 )V 
A(C2fc* 2 ) = A((Ci V C^)^)- We also let <5 be the substitution defined as follows: for 
all x £ Var^(Ci V C 2 ), x8 = {xv)\^. Thus C\5 = C[ and C 2 5 = C 2 , and for all 
x € Var^(Ci V C2), Uj |= ~ x<5. We first prove that Ui |= -iA(Dud). 

• Since the terms u' = u5 and w' = w5 are unifiable and since fx is the mgu of u 
and u;, Lemma 25 proves that [// |= xv ~ x/izv for all x G Var^(Ci V C2), thus 
Condition 1 of Lemma 16 holds for the clause A(Ci V C2). 
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• By hypothesis, Uj \= -iA(Cifc 1 ) and Ui |= -^A(C2Vc 2 )', i n other words, Ui |= 
-iA((CiVC 2 )i/), and therefore, by using the equality A((dVC 2 )i/) = A(Ci VC 2 )^, 
we deduce that [// |= -A(Ci V C 2 )za Therefore, Condition 2 of Lemma 16 also 
holds, and using Equation 6 above, we deduce that for all x G Var^(D) we have 
Ui |= xv ~ xvd and that Uj |= ^A(Dvn). 

We have just proved that for all x G Var_4(Ci V C 2 ), Ui \= xv ~ x^£>- Since 
Uj |= x^ ~ x<5, necessarily Ui |= x^d — xd. But every variable in Var_4(L V D) is also 
in Var^(Ci V C 2 ), therefore E/j U (A(L>^ D )} |= A(T><5) and Uj U {Lvd} \= LS. In the 
case where L / □, by Lemma 22, 

= (t[ w ] ~ s )fiS = (t[v] ~ s)«5/i5 = (t'[u'] ~ s')//, 

and similarly, A(D5) = (E[V E' 2 ) fi' . Therefore, it is always the case that (LV A(D))5 = 
C. Since Var(C) n V = Var(L VD)nV = Var(L V A(D)) n V, necessarily Var(C) n V = 
Var(C'). Furthermore, since Cvc = (IV D)vd and f/j |= -iA(Dvd), for every ground 
substitution cr such that dom(cr) C V, 

UiU{Cv c a} |= C/>U {(A(D) Vl^tr} |= (A(D) V L)5a |= CV. 

The abstracted clause C and the standard clause CVc are logically equivalent, hence 
£// U {Ccr} |= Co. We now prove that C is either in Sj-, or is redundant in Si. 

If C is an .A-clause then necessarily E[ = E' 2 = A(D) = □ and C = Lb. But C 
must also be an .A-clause in this case and since S is A-saturated, Cvq is either in S or is 
entailed by a subset of the A-clauses in S; in both cases, Ui |= C. But [// |= ^A(Dvd), 
thus JTj |= and Ui |= L<5. Since £// contains all equalities between abduciblc 

constants that have the same interpretation under /, we conclude that C must be in 
Ui. 

Now assume that C is not an A-clause, and suppose that C ^ S. Let cr be a ground 
substitution such that dom(cr) C V. By hypothesis, C is A-redundant in S, hence there 
exists a set of clauses T that consists of instances of abstracted clauses in S u , such that 
T |= Co and for all E G T, £ < A Cov c . Let Tj = {A(.E)||l \ E G T A E7> |= ->A(£?)}, 
then Ti C Si, and 

T/UC// |= TU?7/ |= {CcrjUt// |= C"<7, 

because Var(C) n V = Var(C'). Since C is not an A-clause, by definition of -<, for all 
E e TiUUi, E ^ C. Consider the case where C G S. If Ui |= C, then Ui |= C" 
and again C must be redundant. Otherwise, Ui |= -A(CVc), and S7 must contain 
A(Ci/c)||/. Since A(Ci/ c )||j = A(C)<5 = A(L V T>)<5, Equation 5 shows that A(Cv c )\\i 
subsumes (A(D) V L)<5 = C , thus proving that C is subsumed by a clause in Si. 
Therefore, Si is indeed saturated. ■ 

Since Si is saturated for the standard superposition calculus SV^ and contains no 
occurrence of the empty clause, we deduce that it is satisfiable. We obtain the main 
result of this section: 
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Theorem 31 Let S be a set of abstracted clauses that is V^-stable and contains no 
variable- eligible clause. If S is A-saturated and does not contain the empty clause, then 
S is satisfiable. 

This theorem proves the refutational completeness of SV a together with contrac- 
tion rules that eliminate ^.-redundant clauses, for those sets of abstracted clauses S 
whose saturation is guaranteed to meet the requirements of the theorem. The first two 
requirements are not restrictive: the abstraction of a set of standard clauses described 
right before Section 3.3 produces a set of abstracted and V^-stable clauses, and the 
saturation of this set is guaranteed to only contain abstracted and V^-stable clauses by 
Theorem 21. The fact that S contains no variable-eligible clause cannot be imposed 
that easily, but such a condition is guaranteed if S is variable-inactive, which is the case 
for many classes of clause sets of interest [2, 1]. 

Note that this completeness result is not - by itself - sufficient for our purpose, since 
our goal is not merely to test the satisfiability of clause sets but rather to generate flat 
consequences they logically entail. The next section shows how the calculus SV jy can 
be employed to reach this goal. 

5 A generation of explanations 

We return to the problem of explaining why a set of clauses is satisfiable, and show how 
SV a can be used to generate explanations relating abducibles to one another. Given a 
satisfiable set of clauses S', we denote by 1.4(5") the set of all ^.-implicates of S': 

Ia(S') = {C an -4,-clause | C is ground and S' \= C} . 

It is clear that the all the information about abducibles constants that is entailed 
by S' is contained in l^('S). However this set can be very large and it contains a lot 
of non-pertinent information, for example all logical tautologies, or all instances of the 
equality axioms. It therefore does not seem reasonable to return this entire set to a 
user. Another solution could be to return a subset T C 1^(5") such that T h l^(S'), 
but again, such a set might be large and contain unnecessary information. 

Example 32 Consider the set S' = {/(a) jk /(c), g(b) ~ c, g{y) c}, where A = 
{a, b, c}. This set is satisfiable and 1^(5) contains the ^.-clauses c^k a and a ^ bV c ^ b, 
and since one cannot derive into the other using SV, they should both be in T. But 
the latter is a logical consequence of the former and may not be as useful to output. 

The solution we choose is to return a (subsumption- minimal) subset T" C Ij^(S') satis- 
fying the following property: for all C 6 Ia(«S") that is not a tautology, there exists a 
clause C G T' such that C |= C. The clauses in T' are the prime implicates of S'. The 
notion of prime implicates plays a central role in many applications of computer science 
and artificial intelligence, and several approaches have been proposed for computing the 
prime implicates of a given propositional formula (see, e.g., [9]). Some extensions to 
first-order logic have also been considered, such as, e.g., [11]. In what follows, wc define 
an algorithm that computes prime implicates for sets of flat equational clauses. 
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It turns out that SV A cannot be used to determine the set T 1 . For instance, if 
S' = {a ~ b, c d}, then the clause a c V b 9^ d must be in I^(S"). Since it is 
subsumed by no clause in I A {S r ) but itself, it must also be in T', but no iST^-inference 
rule (or tSP-inference rule for that matter) can be applied to S' to generate such a 
clause. In the sequel, we will show how, starting with a set of ^.-clauses that logically 
entails l A (S'), it is possible to generate a set T' using the Resolution calculus, denoted 
by 1Z (we refer the reader to [10] for details on the Resolution calculus). From now on, 
S' denotes a satisfiable set of standard clauses, and 5 is a set of abstracted clauses such 
that S v = S' . Thus, S and S' are equivalent. The first step towards this construction 
is the definition of a set of ^.-clauses that logically entails l^(S'). The (finite) set of all 
^.-clauses in the saturated set generated from S using SV_a will satisfy this requirement. 

Definition 33 We denote by T m the set of ^.-clauses in the ^.-saturated set generated 
from S by SV A . 

The key result that makes the generation of ^.-implicates possible is that all the 
^.-clauses that are entailed by S are actually logical consequences of T^: 

Proposition 34 \= l A (S'). 

PROOF. Let C e I A (S'). Since S' U ->C is unsatisfiable by hypothesis, so is S U ->C, 
and there exists an iSP^-refutation of this set. Since any iST^-inference involving an 
^.-clause as a premise must actually have all its premises that are ^.-clauses by Theorem 
21, it is possible to extract from the 5'P^-refutation of S U ->C an 5"P^-refutation of 
Too U -iC, hence the result. ■ 

Recall that this result does not hold for the standard superposition calculus: for 
instance a ^ 6 is a logical consequence of f(a) 9^ f(b) but no ground, flat clause 
implying a 9^ b can be derived from f(a) ^ f(b)- This shows the interest of 
the calculus SV A . Note that since C l A (S u ), both sets are actually equiva- 
lent. Let Eq be the set of axioms stating that ~ is an equivalence relation 4 : 
Eq = {x~x, x y \/ y ~ x, xgky\/ygkz\/x~z}, and let Eq A be the set consisting 
of all instantiations of the axioms in Eq by the elements in A. The result we show is 
that the 7£-closure of the set U Eq A satisfies the requirements for the set of ^.-clauses 
that is searched for. The proof is based on the following property: 

Lemma 35 Given a set S, a clause LVC and a substitution a such that L' = La is 
ground, let 5 be an IZ-derivation from S fcfcl {Ca} of a clause D. Then there exists an 
7Z- derivation 5' from S U {L V C} of a clause D' such that there exists an r > and 
a substitution fj, verifying D' \x = L' r V D, where the notation L' r means literal L' is 
repeated r times. 

4 There will be no need to consider the congruence axiom, since all the clauses in Too only contain 
constants. 
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Proof. The result is proved by induction on the length of 5. If S = (D), then neces- 
sarily DgSU {Ca}. It is simple to verify that the result holds when D G S and when 
D = Ca. 

Assume that there are clauses Cj = M V Ei and Cj = N V £j in 5 such that 
D = (Ei V Ej)9, where is the mgu of M,N. By the induction hypothesis, there are 
clauses C[ and Cj generated from S LI {L V C} such that: 

• there exists r« > and a substitution /ij such that C[\Xi = L"* 1 V M V E{, and 

• there exists j-j > and a substitution \ij such that Cj/Xj = L' r i V N V Ej. 

Thus we have C[ = M'\J F[ where M'//j = M and Cj = iV' V Fj where iV'/ij = Let 
/io = Mi U /ij. Since M'/jqB = N'/j,q6, necessarily M' and AT' are unifiable with mgu 9', 
and there exists a substitution /i such that /j,q8 = 0' fi. The Resolution rule applied to 
C^, Cj generates the clause D' = {F[ V Fj)6' , and we have 

DV = (Ftvfye'n = (FtVFfinoO = (L' in+r ^ V EiV E^e = L'^i'vD, 

where the last equality comes from the fact that by hypothesis, V is ground. The proof 
when D is generated by the Factorization rule is similar. ■ 

This permits to prove the main result of the section: 

Theorem 36 Let T = U Eqj^, and let C be a non-tautological ground clause in 
\a(S). Then there is a derivation from T of a clause C such that C |= C . 

Proof. By Proposition 34, |= C, hence, by refutational completeness of the Reso- 
lution calculus, there exists a refutation of T U -iC. We prove the result by induction 
on the length of the refutation. If the refutation is of length 1 then necessarily □ € T, 
and it is clear that □ |= C. Assume this refutation is of length n>2, then 

TUnC TU^CU{Da} h^ 1 □. 

By the induction hypothesis, there exists a derivation from TLl{Da} of a clause C such 
that C |= C. If Da G T, then the result trivially holds. Now assume that Da ^ T, we 
consider three cases depending on the sets the premises come from. 

• If both premises are in T, then obviously there exists a derivation from T that 
generates C, and the result holds. 

• If Da is generated from premises in —>C, then since all the elements in this set are 
unit clauses, C has to be of the form L V L c V C" , which is impossible since C is 
assumed not to be a tautology. 

• Otherwise, Da is generated by a Resolution inference on a clause L V D in T 
and a unit clause L' c in ->C which is ground. Thus, a is the mgu of L, L' and 
Lcr = V must be ground. Since T U {-Do - } generates the clause C, by Lemma 
35, T generates a clause D' such that there exists an r > and a substitution fx 
verifying D'[i = L' r V C . Since V is a literal in C, we deduce that D' |= C, hence 
the result. ■ 
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Explain(S",„4) = 
S := Abstract^) 
S := 5P^-saturation(5) 

■= {C G S | C is an „4-clause} 
return 7^,-saturation(T 00 U EqX) 



To summarize, given a set of clauses S' that is satisfiable and a set of abducible 
constants A, the simple algorithm in pseudo-code described in Figure 3 returns a set 
of clauses constructed over A that can be viewed as explanations why S' is satisfiable. 
Note that 7£-saturation can be performed on the fly: it is clear that it is not necessary 
to wait until 5'PA-saturation(S') is computed to start generating the clauses in 1Z- 
saturation(Too U EqX)- Thus even in case of non-termination, all the prime implicates 
can eventually be generated. After the set 7?.-saturation(T 00 U EqX) is computed, it 
is possible to remove from this set all the clauses that can be inferred from other 
prime implicates. This solution yields a more compact representation. However, this is 
possible only in case of termination, since the deleted clauses may be involved in the 
generation of other prime implicates. A termination result for SV a will be presented 
in the following section. By putting all the previous results together, we obtain the 
following theorem, stating the soundess and completeness of the procedure Explain. 

Theorem 37 Let S be a set of clauses. Every clause C G Explain(S", A) is an A- 
implicate of S, and for every A-implicate C of S that is not a tautology, there exists a 
clause C G Explain(S", A) such that C |= C. 

Example 38 We return to the problem mentioned in the Introduction. After flatten- 
ing, we get the following set of clauses: 

1 select(store(x, z, v), z) ~ v 4 cfe — store (di,j,c) 

2 z ~ w V select (store(x, z, v), w) ~ select(x, w) 5 ^3 ~ store(a,j, c) 

3 d\ ~ store(a, i, b) 6 ~ store(d3, i, b) 
7 select^, k) 9^ select^, k) 

Assume that A = b, c}. Then Clauses 3, 4, 5, 6 are abstracted as follows: 



Figure 3: Generation of a set of explanations 



3' 
4' 
5' 
6' 



x' i V y' ^ b V d\ ~ store(a, x' , y') 
x" i± j V y" i± c V d 2 ~ store(di, x", y") 
x" j± j V y" i± c V d 3 ~ store(a, x" , y") 
x' iV y' 9^: 6 V d 4 ~ store(d 3 , x', y') 
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SVa generates the following clauses 5 : 



8 


x' qk i V w ~ x' V select(di, w) ~ select(a, w) 


(3',2) 


9 


x" qk j V w ~ x" V select (^2, w) ~ select (di, u?) 


(4',2) 


10 


x" qk j V w ~ a;" V select^, w) ~ select(a, w) 


(5',2) 


11 


x' qk i V w ~ a;' V select^, w) ~ select^, w) 


(6',2) 


12 


x 1 qk iV y' qk bV select (d\, x 1 ) ~ y' 


(3',1) 


13 


x" qk j V y" qk c V select (tZ 2 , a;") - y" 


(4',1) 


14 


x" qk j V y" qk cV select^, x") ~ y" 


(5',1) 


16 


x 1 qk iV y' qk bV select^, a;') ~ y' 


(6',1) 


17 


x' qk i\l k ^ x' \l select^, fc) 9^ select^, fc) 


(n> 7 ) 


18 


x' qk i V k ~ x' V x" qk j V k ~ x" V select^, A;) 9^ select(a, fc) 


(10, 17) 


19 


x' qk iV k ~ x' V x" qk j V k ~ x" V select (di, fc) 9^ select (a, fc) 


(9, 18) 


20 


a;' 9^ i V a;" 9^ j V k ~ a;' V fc ~ x" 


(8,19) 


21 


x' iV x" qk j V k ~ x' V select^, fc) 9^ select^, x") 


(20,7) 


22 


x' 9^ i V x" 9^ j V fc ~ x' V x" ~ x' V select(rf 2 , fc) ^ select(d 3 , x") 


(11,21) 


23 


x' 9^ i V x" qk j V y" 9^ c V fc ~ x' V x" ~ x' V select(<2 2 , fc) 9^ y" 


(14,22) 


24 


x' 9^ i V x" 9^ j V y" 9^ c V k ~ x' V x" ~ x' V select(<2 2 , ar") 9^ y" 


(20,23) 


25 


x' i V x" qk j V k ~ x' V x" ~ x' 


(13,24) 


26 


x' qki\l x" qk j\J x" ~ x' V select^, fc) 9^: select(d4, x') 


(25,7) 


27 


x' qk i V x" qk j V y' qk bV x" ~ x' V select(d 2 , fc) 9^ y' 


(16,26) 


28 


x' qk iV x" qk j V y' qk bV x" ~ x' V select(d 2 , a;') 9^ y' 


(25,27) 


29 


x' qk iV x" qk j V y' qk bV x" ~ x' V select (di, a;') 9^ y' 


(9,28) 


30 


* — J 


(12,29) 


31 


x' 9^ i V x" 9^ j V x' 9^ x" V k ~ x' 


(20) 


33 


x' qki\l x" qk j\l x' qk x" V select (d 2 , fc) 9^: select(d4, x') 


(31,7) 


34 


x' qk iV x" qk j V x' qk x" V y' qk bV select(d 2 , k) qk y' 


(16,34) 


35 


x' qk iV x" qk j V x' qk x" V y' qk bV select(d 2 , x') qk y' 


(31,34) 


36 


i qk j V b qk c 


(13,35) 



By Resolution, from 30 and 36, we get c qk b, which subsumes 36. We obtain the 
^-implicates {i ~ i, b qk c}, yielding the explanation % qk j V b ~ c. 

6 A termination result for SVa 

In this section we will prove a result that relates the termination of SV on a set of 
standard clauses S to the termination of SV_a on an abstracted version of S. This 
shows that many existing results about the termination of the superposition calculus 
for subclasses of first-order logic carry over to SV_a. 

We introduce a way to relate standard and abstracted terms by defining a so-called 
relation of ^.-relaxation. This relation will be used afterwards to relate the forms of the 
clauses generated by 5"P-inferences and those generated by 5'P^-inferences in a more 
precise manner. 

Definition 39 The relation of A-relaxation relates an abstracted term t to a standard 
one t' and is defined as follows: t<^t' if and only if £70 = t\ A . 

5 For readability we simply drop irrelevant disequations, i.e. x qk aV C is replaced by C if x does not 
occur in C and x qk a\/ x' qk a\/ C is replaced by x qk a V C{x' M> x}. 
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Given an abstracted clause C and a standard clause C, we write C <UC" if and only 
if A(C7o) = A(Cj^). This relation is extended to sets of clauses in a straightforward 
manner. 



Example 40 Assume A — {a, b}, let C = x a V a ~ b V f(x, x, d) ~ g(y) V g(y) ~ d and 
C" = /(a, b, d) ~ V ff (o) ~ d. Then C* <^ C". 

Note that all „4- literals are discarded when comparing clauses with the relation <U . 

Lemma 41 Let C be an abstracted clause such that A(C) / □, Zei C be an A-reduced 
clause and assume C <a C . Let L = t txi s be an A-maximal literal in C and t be an 
A-maximal term in L. If V = t' M s' is a literal in C such that L <_4 V , then V is a 
^-maximal literal in C and t' is a ^-maximal term in L' . 

Proof. Since A(C) / □, by definition of -<, L must be a literal in A(C), so that 
V is well-defined. Furthermore, since C is ^.-reduced, L70 = L/4 = V by definition. 
Assume that V is not maximal in C , and consider a literal M' in C" such that V -< M' . 
Necessarily, M' occurs in A(C"), and there must exist a literal M in A(C) such that 
M < A M'. Again by definition, M70 = Mj^ = M', thus, by definition of -<U, L -<a m - 
This proves that L cannot be ^.-maximal, a contradiction. The proof that t' is a maximal 
term in L' is similar. ■ 

Lemma 44 can be viewed as a dual version of Lemma 22, where abstracted and 
standard terms are switched. We state some preliminary properties before proving the 
lemma. 

Proposition 42 If a and a' are A-compliant substitutions then (c7o)(f'7o) = °~o~'7o- 
Proposition 43 Ift<j^t' and a is A-compliant, thent'a^Q = £'(c7o)iy andta<^t'ajo. 

Proof. It is clear that t'a^o = i'(c7o)|y> since all variables in t' must be in V. By 
definition £70 = t'^ and by Proposition 42 t7oO"7o = io"7o- Since (t'^^crjo = (t'a^o)^, 
we have the result. ■ 

Lemma 44 Let t,s be abstracted terms, t' = £70 and s' = S70. If t, s are A-unifiable 
with mgu fx, then t',s' are unifiable with mgu (M7o)|v 

Proof. The result is proved by induction on the size of t\x. If one of the terms is in V4 
or in V, then it is simple to verify that the result holds. Assume that t = f(t±, . . . , t n ), 
and s = /(si,.. .,s n ), and let t' = . . . ,t' n ) and s' = f(s' 1 , . . .,s' n ). 

We let ttq = id, and for i = l,...,n, fii denotes the mgu of £j7Tj_i, Sj7Tj_i and 
TTj = TTj-iMi- Since t and s are „4-unifiable, for all i = 1, . . . , n, ij7Tj_i and Sj7Tj_i are 
„4- unifiable and /itj is ^.-compliant. Thus, so is 7Tj by Proposition 9, and fx = ir n . 

Let 7Tq = id, for alH = 1, . . . , n, let ^ denote the mgu of t f i Tr' i _ l and s^7r^_ 1 , and 
let 7r^ = 7r^„ 1/ u' i . We show by induction on % that t' i ir' i _ l and s' i Tr' i _ 1 are unifiable and 



22 



that 7r^ = (vri7o)| V . This will prove that t' and s' are unifiable with mgu // = ir' n = 
(vr„7o)| V = (^7o)|v 

Assume this result holds for i — 1, and consider the terms ^71"^ and s' i 7r^ 1 . Since 
*i<U^ and Si^s'j, we deduce that tiit^x ^A^iK-i and s i 7r i-i <Us^„i by Proposition 
43. Since the size of tiiT^i is strictly less than that of tfx, we may apply the induction 
hypothesis to conclude that t' i TT , i _ 1 and s^7r^_ 1 are unifiable with mgu ^ = (/ii7o)|y 
Therefore 7r^ is well-defined. The fact that no variable in V4 occurs in the codomain of 
ir' i _ 1 = 7Tj_i7o together with Proposition 42 permits to verify that, 

K = K-iVi = (T*-i7o)|v(A*i7o)|v = (7Tj-i7oW7o)| V = (t»7o)| V > 
hence the result. ■ 



Lemma 45 Let Ci,C 2 be abstracted clauses that are not variable- eligible, and C[,C 2 
be A-reduced clauses such that C\ <a C[ and C 2 <U C 2 . Assume further that neither 
Ci nor C 2 is an A-clause. If d, C 2 h- 4 C, then C[,C' 2 h C and C < A C . 

Proof. We show the result for a paramodulation or superposition inference, the other 
cases are similar. Let 

C\ = u ~ v V D\, 
C 2 = t[w] 00 s V D 2 , 
C = (t[v] x s V Di V D 2 )a, 

where a is the mgu of u and w. Then by Lemma 41, we have 

C[ = u'-v'vD'^ 
C 2 = t'[w']^s' V D 2 , 

where u <±a u ' an d t[w] <a t'[w']. By Lemma 41, u' (resp. t'[w']) is maximal. Thus 6 
C[, C 2 h C", where C = (t'[v'\ tx s' V £>i V D 2 )cr' and cr ' is the m S u of u ' and B Y 
Lemma 44, cr' = (<77o)| V , and by Proposition 43, C\o <a C[o-' and C 2 a <U C' 2 a'. It is 
then straightforward to verify that C <U C . ■ 

We define a notion of redundancy that is meant to hold no matter what abducible 
constants occur in the clause under consideration. 

Definition 46 An ^.-reduced clause C is p-redundant in an ^.-reduced set of clauses 
S' if for all sets of abstracted clauses S such that (S u )ia = S' and for every abstracted 
clause D such that (Durj)iA = C"> clause D is ^.-redundant in S 1 . An „4-reduced set of 
clauses S' is p -saturated if every clause generated with premises in S' either occurs in 
5" or is P-redundant in S' . 

6 The strict maximality conditions for binary inference rules were relaxed in the version of the super- 
position calculus presented in Figure 2 to allow the following inference. 
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This notion permits to eliminate clauses that are redundant in the usual sense and 
do not contain any abducible constant. 

Example 47 Assume A = {a, 6} and S' = {/(c) f(d)}, then C = g{a,c) ~ h{a) V /(c) ^ 
f(d) is p- redundant in 5". 

Theorem 48 Let S' be a set of A-reduced clauses, and let T be the V -saturated set of 
clauses generated from S' . IfT is finite and S is a set of abstracted clauses that is V4- 
stable, variable-inactive and such that S <U S' , then the set of non-redundant clauses 
generated from S is finite. 

Proof. By Theorem 21, for all n > 0, every non-redundant clause C generated from 
S is V^-stable and it cannot be variable-eligible; by Lemma 45, there is a clause C 
generated by a derivation from S' such that C <l_4 C . The clause C cannot be P- 
redundant because otherwise, by definition, C would be ^.-redundant. Thus C G T, 
and since the set {D \ D <U C} is finite up to equivalence, we deduce that the set of 
non-redundant clauses generated from S is also finite. ■ 

Theorem 48 guarantees that SV a (and thus Explain) terminates on several classes 
of clause sets, in particular for clause sets related to SMT problems. The authors of [2] 
and [1] prove that sets of the form T U S, where T is a theory and S a set of ground 
unit clauses, generate finite saturated sets. This result is extended to clause sets of the 
form TUS", where S' is an arbitrary set of ground clauses, in [6]. An inspection of 
the finiteness results of [2, 1, 6] shows that they hold not only for saturated sets but 
also for P-saturated sets, since the redundant clauses that are deleted are actually P- 
redundant: they do not contain any constants at all. Thus, SV a terminates for clause 
sets of the form TU S', where S' is the abstraction of a set of ground clauses, and T is 
the axiomatization of the any of the following theories: records, integer offsets, possibly 
empty lists, arrays... 

7 Discussion 

We have presented a calculus that permits to reason on the relations involving abducible 
constants, that are logical consequences of a satisfiable set of clauses. These relations 
can be viewed as explanations of why the set is satisfiable, since any of their negations, 
when added to the original clause set, renders the latter unsatisfiable. We proved a 
completeness result for the calculus, along with a sufficient condition guaranteeing its 
termination on classes of clause sets, among which SMT problems in several theories 
of interest. To the best of our knowledge, this approach is novel and there are many 
interesting directions to explore. One first direction is to investigate what set of clauses 
can be considered as a good set of explanations, and determine what a good trade-off 
might be between a small set of explanations that may hide too many details, and a 
large set of explanations that may carry too much unnecessary information. Another 
line of work that is currently under investigation is the search for a more efficient 
way to generate explanations. Indeed, the saturation with the Resolution calculus in 
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the presence of the equality axioms is not entirely satisfactory as far as efficiency is 
concerned, and it would be interesting to see how the calculus SV a can be enhanced 
to directly produce the required set of explanations. As far as other extensions are 
concerned, we plan to investigate how to extend these results to abducible terms and 
not only abducible constants, by allowing the occurrence of function symbols in A. 
This would allow the derivation of non-ground explanations. Another possibility is to 
consider mixed literals, containing both abducible and non-abducible symbols. It would 
then be possible to generate explanations of the form a ~ without having to declare 
as an abducible constant. We also plan on devising a calculus capable of efficiently 
generating explanations with abducibles interpreted in a particular theory, such as, e.g., 
arithmetic. 
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